add jmckenna to sudoers on osgeo6

[Jeff McKenna]

I need to change permissions of files in /var/www/mapserver.org/ on the new osgeo6

Thanks,

[Jeff McKenna]

polite bump

[wildintellect]

I think we determined what should happen is creating a mapserver group and setting the default umask to 002 instead of 022. That does leave the question of where the group membership should inherit from or if we just one off add people as needed on the machine (Can we use LDAP for this?).

[Jeff McKenna]

I access the machine with my LDAP account yes (jmckenna).

Likely I will be the only person to access the machine in the mapserver group, that is not already an OSGeo admin (going by past machine histories).

Whatever you choose, can you enable this today?

[Jeff McKenna]

Did you make a decision? Is there anything I can do to help move this along faster?

[Jeff McKenna]

It is now 12 days later. Can I please have an update? I am trying very hard to wait patiently. 12 days is a little extreme.

Should the OSGeo Board provide funding for admin tasks? Should the OSGeo Board provide external resources (paid admin staff person) to deal with these tasks?

Please let me and the OSGeo Board know what can be done to help.

Thanks,

-jeff

[martin]

As far as I understand it's unclear *how* to proceed. OSGeo used to have crowds of users with "sudo"-permission on every VM in the past, but I've understood that's not the desired policy for the future (and I fully agree with reducing "sudo"-permissions).

I'm not in a position to make a decision on how it should be done, this should be made by Alex because he's more familiar with the people involved. Anyhow, creating an LDAP Shell group for every project is my favourite, then chgrp the respective group directories to the respective project group and inherit group permissions via ACL's.

[wildintellect]

I thought that you now had permissions to login as the mapserver user which owns the directory and that would solve the immediate issue. Longer term we just need to add you to the group and change the default umask to group write.

[Jeff McKenna]

there are several items I would tackle on the old Projects machine, that required my sudo access. I don't think it is wrong of the president of the foundation to be asking for this. This is disheartening arguing for this, I am sorry for being honest here.

[wildintellect]

You are in the mapserver group, and I made sure to chmod -R g+w /home/mapserver/mapserver-docs-git-branch-6-4/

The ticket didn't state you wanted to fix anything else. If you want to join SAC officially that would be reasonable. This is a reaction to the awkward mess of too many sudoers on the Old projects VM, it was not specific to you. We also don't have things compartmented yet, so sudo on osgeo6 is sudo over a lot of other things than just the Projects.

[Jeff McKenna]

Here i am arguing, to make a change so i can get some work done, work that is for the foundation, on my own time.

I should not have to argue for this.

I am speechless.

[Jeff McKenna]

thanks

[wildintellect]

I think I missed this /var/www/mapserver now group owned by mapserver group and chmod group write applied.

[martin]

Replying to jmckenna:

Here i am arguing, to make a change so i can get some work done, work that is for the foundation, on my own time.

I should not have to argue for this.

I am speechless.

I'm convinced that the strategy of granting system access permissions on the basis of administrative roles in the organization is a very bad advisor - and I'm looking back at 20 years of professional Unix system administration in a wide variety of organizations (and also on a wide variety of Unix systems).

Our (at least Alex' and mine) concern is to implement a sustainable schema for access control on OSGeo ressources and this works best when you're telling us precisely what's missing so we can take appropriate care of it.

[Jeff McKenna]

I trust both your experience. I agree, I will open new tickets for any commands I need run. Closing this ticket.